- Author: @MrStahlfelge,@aslesarenko
- Status: Proposed
- Created: 18-August-2021
- License: CC0
- Forking: not needed
- Description
- Background And Motivation
- Cold Signing Problem
- Simplified Signing using ReducedTransaction
- Transaction Interchange
- Reference Implementation of Hot Wallet
- Reference Implementation of Cold Wallet
- Benefits
This EIP defines a standard for cross-device interaction between "Hot" (online) and "Cold" (offline) wallets for signing Ergo transactions.
Mobile wallets (like Ergo Android Wallet) typically store private keys (aka mnemonics) on the device.
However, modern mobile OSes (Android, iOS) as well as desktop PCs are always connected to the internet and can be hacked and secrets stolen. Screenreading and keystroke logging are system-independant ways to steal user data.
That is why specialized hardware wallets are considered much more secure to store private keys.
Another option for more security is to use "Cold" wallet - a device which is not connected to the internet or better, with all connectivity turned-off and internet access blocked. Candidates could be outdated (but still functioning) mobile devices with clean factory setup or a Raspberry Pi with a fresh Raspbian setup and only Cold Wallet application installed. As long as the device never connects to the internet, it is guaranteed that no secrets left the device.
Interaction with the Cold Wallet device can be done via QR codes (in case of mobile devices) or by transferring files (in case of Raspberry Pi). For simplicity, only QR code is mentioned in the following text. This does not mean any restriction of the transportation method.
- A user creates a transaction in the Hot Wallet application and then presses a "Sign With Cold Wallet" button
- The Hot Wallet application shows a QR code with serialized transaction bytes on the screen
- User scans the QR code using the Cold Wallet device, signs the transaction after which QR code of the signed transaction is displayed.
- Then user scans the QR code of the signed transaction and sends it to blockchain.
The design of Ergo contracts allows for a simple and universal implementation which we describe in Reference Implementation section.
In the following sections we:
- describe a solution;
- specify a protocol with two roles: HotWallet and ColdWallet which must be implemented by complying Wallet applications and
- describe a reference implementation of both Hot and Cold roles in Ergo Wallet App.
In order to overcome the problem of Context size we can rely on the ability of Ergo provers to reduce transaction without signing it. The result of such reduction is a data structure called ReducedTransaction.
Having the ReducedTransaction data structure the full transaction signing
consists of three steps
- Create unsigned transaction and then reduce it in the current blockchain context, which has connection to one of the network nodes. This step is performed on Hot Wallet and produces ReducedTransaction without requiring secret keys.
val ctx: BlockchainContext = ...
val unsignedIx = createTransaction(ctx, from, to, amountToSend, assets)
val prover = ctx.newProverBuilder.build // prover without secrets
val reducedTx: ReducedTransaction = prover.reduce(unsigned, 0)
-
Serialize ReducedTransaction data structure to bytes and then pass it to the Cold Wallet via QR code.
-
Once scanned in the Cold Wallet, the ReducedTransaction object can be deserialized back from bytes and then signed using prover configured with local secrets.
val reducedTx = ReducedTransactionSerializer.fromBytes(reducedTxBytes)
val ctx: ColdBlockchainContext = ...
// create prover in the cold context using secrets stored on this device
val prover = ctx.newProverBuilder.withSecretStorage("storage.json").build
val signedTx = prover.signReduced(reducedTx)
It is important to note, that signatures for all inputs of the ReducedTransaction can be generated directly, without script evaluation (aka script reduction) and thus, Cold Wallet don't need complex spending contexts.
For better security and usability additional data can be transfered between Hot and Cold wallets via QR codes. Hot Wallet passes data to the Cold Wallet using ColdSigningRequest data format and Cold Wallet replies back with ColdSigningResponse.
Json format, holding
- reducedTx (mandatory): Base64-encoded
ReducedTransactionas defined above - sender (optional): P2PK address sending the transaction, can be used by cold wallets to determine which secret to use for signing the transaction
- inputs (mandatory): List of base64-encoded serialized input boxes, can be used by cold wallets to show the user which boxes are burnt
Json format, holding
- signedTx (mandatory): Base64-encoded
SignedTransaction
As QR codes are length-limited and it could be needed to transfer the data in chunks, it is needed to wrap the actual data sent by a small layer containing information about number of chunk pages and page index of a chunk. This is done by wrapping it in another JSON container with three properties:
- The actual chunk data, named CSR for ColdSigningRequest or CSTX for ColdSigningResponse
- property "p", 1-based page index of current chunk (optional if there is only one page)
- property "n", number of pages (optional if there is only one page)
Examples: The QR code for a complete ColdSigningRequest contains the following data:
{"CSR":"{\"reducedTx\":\"....\",\"sender\":\"9...\",\"inputs\":[\"...\"]}"}
The QR code for the first chunk of a ColdSigningResponse with 3 pages total looks like the following:
{"CSTX":"{\"signedTx\":\"... (actual data, no valid JSON on its own)","n":3,"p":1}
In addition to using the above formats the following requirements are imposed on Hot Wallet and Cold Wallets:
-
There should be a way for a given unsigned transaction on the HotWallet to show QR code of ColdSigningRequest on the screen, and then scan the QR code of the corresponding ColdSigningResponse.
-
There should be a way on ColdWallet to scan QR code of ColdSigningRequest, show transaction details on the screen and allow user to either sign or reject. If signed, the QR code of ColdSigningResponse should be shown.
A special ColdErgoClient instance can be created to perform signing
operations. ColdErgoClient don't have connections to Ergo nodes and explorer,
moreover for better security, cold client can forbig operations if any
device connectivity is turned-on, such as WiFi, Bluetooth, NFC, Cellular etc.
Note, using ColdErgoClient is not strictly required and ordinary client can be
used instead, however ColdErgoClient allows this EIP to be easily supported in an
implementation of Cold Wallet application based on Appkit.
Any wallet can become compatible with this EIP by implementing HotWallet role in addition to basic wallet features. Any Hot wallet implementation can interact with any Cold wallet implementation. Users have an alternative to specialized hardware wallets and can gain more security for their funds stored on the Ergo Blockchain.